The field of security information/event management is generally concerned with collecting data from networks and network devices that reflects network activity and/or operation of the devices, and analyzing the data to enhance security. For example, the data can be analyzed to identify an attack on the network or a network device and determine which user or machine is responsible. If the attack is ongoing, a countermeasure can be performed to thwart the attack or mitigate the damage caused by the attack. The data that is collected usually originates in a message (such as an event, alert, or alarm) or an entry in a log file, which is generated by a network device. Examples of network devices include firewalls, intrusion detection systems, servers, etc.
A security system is useful if it can discriminate between normal system usage and true intrusions (accompanied by appropriate alerts). If intrusions can be detected and the appropriate personnel notified in a prompt fashion, measures can be taken to avoid compromises to the protected system. Otherwise such safeguarding cannot be provided. However, discriminating between normal system usage and true intrusions is difficult, especially in large networks that may generate hundreds of thousands of messages or log file entries.
In addition, the ability to detect intrusions is exasperated, in many instances, because a single user may have multiple IDs for different systems (e.g., email ID, badge ID, Windows domain ID, UNIX account IDs on various machines, application IDs, etc.) monitored by the security system. It is difficult to correlate activities by the same user from different IDs. Similarly, it is difficult to consider roles and location to detect suspicious activity. For example, certain activity may be allowed only for California employees or employees that directly or indirectly inherit a certain role.